Configure Web Security - Cisco · Configuring Windows Internet Options toConfigure Public Proxy Publicproxiesareusuallyusedtoanonymizewebtraffic.Publicproxyserversarereferredtoasauthenticating

Configure Web Security

• About the Web Security Module, on page 1• Typical Web Security Configuration, on page 2• Web Security Logging, on page 20

About the Web Security ModuleThe AnyConnect Web Security module is an endpoint component that routes HTTP traffic to a Cisco CloudWeb Security scanning proxy.

Cisco Cloud Web Security deconstructs the elements of a web page so that it can analyze each elementsimultaneously. For example, if a particular web page combined HTTP, Flash, and Java elements, separate“scanlets” analyze each of these elements in parallel. Cisco Cloud Web Security then allows benign oracceptable content and blocks malicious or unacceptable content based on a security policy defined in theCisco ScanCenter management portal. This prevents “over blocking,” where an entire web page is restrictedbecause a minority of the content is unacceptable, or “under blocking,” where an entire page is permittedwhile there is still some unacceptable or possibly harmful content that is being delivered with the page. CiscoCloud Web Security protects users when they are on or off the corporate network.

With many Cisco Cloud Web Security scanning proxies around the world, users taking advantage ofAnyConnect Web Security can route their traffic to the Cisco Cloud Web Security scanning proxy with thefastest response time to minimize latency.

You can configure the Secure Trusted Network Detection feature to identify endpoints that are on the corporateLAN. If this feature is enabled, any network traffic originating from the corporate LAN bypasses Cisco CloudWeb Security scanning proxies. The security of that traffic is managed by other methods and devices on thecorporate LAN rather than by Cisco Cloud Web Security.

AnyConnect Web Security features and functions are configured using the AnyConnect Web Security clientprofile, which you edit using the AnyConnect profile editor.

Cisco ScanCenter is the management portal for Cisco Cloud Web Security. Some of the components createdor configured using Cisco ScanCenter are also incorporated in the AnyConnect Web Security client profile.

ISE servers must always be listed in the static exception list, which is configured on the Exceptions pane ofthe Web Security client profile.

Note

Configure Web Security1

Typical Web Security ConfigurationProcedure

Step 1 Configure Cisco Cloud Web Security Scanning Proxies in the Client Profile.Step 2 (Optional) Update the Scanning Proxy List if comparing the existing list of Cisco CloudWeb Security scanning

proxies in the profile editor with those in the scanning proxylist downloaded from thehttp://www.scansafe.cisco.com/ website indicates a discrepancy.

Step 3 (Optional) Display or Hide Scanning Proxies from Users.Step 4 Select a Default Scanning Proxy.Step 5 (Optional) Specify an HTTP(S) Traffic Listening Port to filter HTTPS web traffic.Step 6 Configure a host, proxy, or static exception to Excluding or Including Endpoint Traffic from Web Scanning

Service. This configuration limits the evaluation of network traffic from the designated IP addresses.Step 7 Configure User Controls and Calculate Fastest Scanning Proxy Response Time. This configuration chooses

to which Cisco Cloud Web Security scanning proxy you want users to connect.Step 8 If you want network traffic originating from the corporate LAN to bypass Cisco CloudWeb Security scanning

proxies, Use Secure Trusted Network Detection.Step 9 Configure Authentication and Sending Group Memberships to the Cisco Cloud Web Security Proxy. This

configuration authenticates users based on their enterprise domain or Cisco ScanCenter of Active Directorygroup.

Cisco Cloud Web Security Scanning Proxies in the Client ProfileCisco Cloud Web Security analyzes web content, allowing delivery of benign content to your browser andblocking malicious content based on a security policy. A scanning proxy is a Cisco CloudWeb Security proxyserver on which Cisco Cloud Web Security analyzes the web content. The Scanning Proxy panel in theAnyConnect Web Security profile editor defines to which Cisco Cloud Web Security scanning proxies theAnyConnect Web Security module sends web network traffic.

Guidelines for IPv6 Web Traffic

Unless an exception for an IPv6 address, domain name, address range, or wildcard is specified, IPv6 webtraffic is sent to the scanning proxy. The scanning proxy performs a DNS lookup to see if there is an IPv4address for the URL that the user is trying to reach. If the scanning proxy finds an IPv4 address, it uses it forthe connection. If no IPv4 address is found, the connection is dropped.

To enable all IPv6 traffic to bypass the scanning proxies, add ::/0 static exception for all IPv6 traffic. Thisexception makes all IPv6 traffic bypass all scanning proxies; therefore, IPv6 traffic is not protected by WebSecurity.


Configure Web SecurityTypical Web Security Configuration

http://www.scansafe.cisco.com/

On computers that run Windows, if AnyConnect cannot determine the user ID, the internal IP address is usedas the user ID. For example, if the enterprise_domains profile entry is not specified, use the internal IP addressto generate reports in Cisco ScanCenter.

On computers that run Mac OS X, the Web Security module can report the domain the computer is logged into if the Mac is bound to a domain. If it is not bound to a domain, the Web Security module can report the IPaddress of the Mac or the username that is currently logged in.

Note

How Users Choose Scanning ProxiesDepending on how their profile is configured, users may choose a scanning proxy, or the AnyConnect WebSecurity module connects them to the scanning proxy with the fastest response time.

• If their client profile allows user control, users can select a scanning proxy from the Settings tab of theCisco AnyConnect Secure Mobility Client Web Security tray.

• If their client profile has the Automatic Scanning Proxy Selection preference enabled, AnyConnect WebSecurity orders the scanning proxies from fastest to slowest and connects users to the scanning proxywith the fastest response time.

• If their client profile does not allow for user control butAutomatic Scanning Proxy Selection is enabled,AnyConnect Web Security switches users from their default scanning proxy to the scanning proxy withthe fastest response time, provided that the response time is significantly faster than the default scanningproxy to which they originally connected.

• If users start to roam away from their current scanning proxy and Automatic Scanning Proxy Selectionis configured in their client profile, AnyConnect Web Security switches users to a new scanning proxy,provided that its response time is significantly faster than their current scanning proxy.

Users know the scanning proxy to which they are connected because AnyConnect Web Security displays theenabled scanning proxy name in the expanded AnyConnect tray icon on Windows, the Advanced Settingstab, and the Advanced Statistics tab of the AnyConnect GUI.

Update the Scanning Proxy ListThe Scanning Proxy list in the Web Security profile editor is not editable. You cannot add or remove CiscoCloud Web Security scanning proxies from the table in the Web Security profile editor.

After you start the Web Security profile editor, it updates the scanning proxy list automatically by contactinga Cisco Cloud Web Security website, which maintains the current list of scanning proxies.

When you add or edit an AnyConnect Web Security client profile, the profile editor compares the existinglist of Cisco Cloud Web Security scanning proxies to those in the scanning proxy list thathttp://www.scansafe.cisco.com downloaded. If the list is out of date, a “Scanning Proxy list is out of date”message and command button labeled Update List appear. Click Update List to update the scanning proxylist with the most recent list of Cisco Cloud Web Security scanning proxies.

When you click Update List, the profile editor maintains as much of your existing configuration as possible.The profile editor preserves your default scanning proxy setting and the display/hide settings for the existingCisco Cloud Web Security scanning proxies.


Configure Web SecurityHow Users Choose Scanning Proxies

http://www.scansafe.cisco.com

Display or Hide Scanning Proxies from UsersAfter users establish a VPN connection to the ASA, the ASA downloads a client profile to the endpoint. TheAnyConnect Web Security client profile determines which Cisco Cloud Web Security scanning proxies aredisplayed to users.

For the maximum benefit to roaming users, we recommend that you display all Cisco Cloud Web Securityscanning proxies to all users.

Users interact with the scanning proxies marked “Display” in the scanning proxy list of the AnyConnect WebSecurity client profile in these ways:

• The Cisco Cloud Web Security scanning proxies are displayed to users in the Advanced settings of theWeb Security panel of their Cisco AnyConnect Secure Mobility Client interface.

• The AnyConnect Web Security module tests Cisco Cloud Web Security scanning proxies marked“Display” when ordering scanning proxies by response time.

• Users can choose which Cisco CloudWeb Security scanning proxy they connect to if their profile allowsfor user control.

• Cisco CloudWeb Security scanning proxies marked “Hide” in the scanning proxy table of the AnyConnectWeb Security client profile are not displayed to users or evaluated when ordering scanning proxies byresponse time. Users cannot connect to the scanning proxies marked “Hide.”

Before you begin

Create an AnyConnect Web Security client profile.

Procedure

Step 1 Start the Web Security profile editor using one of the following methods:

• Open ASDM and choose Configuration > Remote Access VPN > Network (Client) Access >AnyConnect Client Profile.

• In Stand-alone mode on Windows, choose Start > All Programs > Cisco > Cisco AnyConnect ProfileEditor > Web Security Profile Editor.

Step 2 Open the Web Security client profile to edit.Step 3 To hide or display Cisco Cloud Web Security scanning proxies:

• Choose the scanning proxy to hide and click Hide.

• Choose the name of the scanning proxy that you want to display and click Display. Displaying all CiscoCloud Web Security scanning proxies is the recommended configuration.

Step 4 Save the AnyConnect Web Security client profile.


Configure Web SecurityDisplay or Hide Scanning Proxies from Users

Select a Default Scanning ProxyWhen users first connect to the network, they are routed to their default scanning proxy. By default, the profilethat you create has the following Cisco Cloud Web Security scanning proxy attributes:

• The scanning proxy list is populated with all the Cisco Cloud Web Security scanning proxies that yourusers have access to, and they are all marked “Display.”

• A default Cisco Cloud Web Security scanning proxy is pre-selected.

• The list of ports on which the AnyConnect Web Security module listens for HTTP traffic is provisionedwith several ports.

Procedure




Step 2 Open the Web Security client profile to edit.Step 3 Select a default scanning proxy from the Default Scanning Proxy field.Step 4 Save the AnyConnect Web Security client profile.

Specify an HTTP(S) Traffic Listening PortThe Scan Safe web scanning service analyzes HTTP web traffic by default, and you can filter HTTPS webtraffic through configuration. In the Web Security client profile, specify which ports you want Web Securityto “listen” to for these types of network traffic.

Procedure




Step 2 Open the Web Security client profile to edit.Step 3 In the Traffic Listen Port field, enter the logical port number that you want the Web Security module to

“listen” to for HTTP traffic, HTTPS traffic, or both.Step 4 Save the Web Security client profile.


Configure Web SecuritySelect a Default Scanning Proxy

Configuring Windows Internet Options to Configure Public ProxyPublic proxies are usually used to anonymize web traffic. Public proxy servers are referred to as authenticatingproxy servers and may require a username and password. AnyConnect Web Security supports two types ofauthentication: basic and NTLM.When the proxy server is configured to require authentication, AnyConnectWeb Security detects the proxy at run time and manages the authentication process. After successfullyauthenticating to the proxy server, the AnyConnect Web Security routes web traffic via public proxy to theCisco Cloud Web Security scanning proxy. AnyConnect Web Security encrypts the proxy credentials, cachesit securely in memory, and does not require credentials again, even if the user goes from proxy to non-proxynetwork and comes back to the same network. No service restart is required to work with public proxy. Whena user moves to a non-proxy network, AnyConnect Web Security detects it automatically at runtime and startssending web traffic directly to Cisco Cloud Web Security scanning proxy.

When Windows Internet options are configured to use a public proxy on a client, AnyConnect uses thatconnection.

Basic and NTLM public proxy are supported on Windows. Only Basic public proxy is supported on Mac.Note

1. Open Internet Options from Internet Explorer or the Control Panel.

2. Choose the Connections Tab and click LAN settings.

3. Configure the LAN to use a proxy server.

4. Enter the IP address or hostname of the proxy server. If separate proxies are configured forFTP/HTTP/HTTPS, only HTTPS proxy is considered.

Limitations

• IPv6 and TND behind public proxies are not supported.• Proxy IP should not be in the AnyConnect Web Security exception list; otherwise, traffic will not bedirected to the AnyConnect Web Security.

• If proxy port is different from the default web port, then the proxy port needs to be added in the kdflistening port list of the AnyConnect Web Security profile.

Excluding or Including Endpoint Traffic from Web Scanning ServiceTo exclude or include specific network traffic from Cisco CloudWeb Security scanning, use theWeb Securityprofile editor to configure exceptions for that traffic. Several categories of exceptions can be configured:

• Host Exceptions or Host Inclusions—With Host Exceptions configured, the IP addresses (either publicor private, host names, or subnets) that you enter are bypassed. With Host Inclusions configured, the IPaddresses (either public or private, host names, or subnets) that you enter are forwarded to the WebSecurity proxy, while all remaining traffic is bypassed.

AnyConnect can still intercept traffic that is listed in Host Exceptions.Note

• Proxy Exceptions—Internal proxy servers listed here are excluded from scanning.


Configure Web SecurityConfiguring Windows Internet Options to Configure Public Proxy

• Static Exceptions—IP addresses listed here are excluded from scanning and AnyConnect.

•

ISE Server Requirements

ISE servers must always be listed in the static exception list, which is configured on the Exceptions pane ofthe Web Security client profile. In addition, the Web Sec module must bypass ISE Posture probes so the ISEPosture client to reach the ISE server. The ISE Posture profile sends network probes to find the ISE server inthe following order:

1. Default gateway

2. Discovery host

3. enroll.cisco.com

4. Previously connected ISE server

Exclude or Include Host Exceptions

Before you begin

• Do not use wildcards on both sides of a top-level domain, for example *.cisco.*, because this couldinclude phishing sites.

• Do not delete or change any of the default host exception entries.

You can choose to configure either Host Exceptions or Host Inclusions. If you choose Host Exceptions, thespecified IP addresses are bypassed by the Cisco Cloud Web Security proxy. If you choose Host Inclusions,the specified IP addresses are forwarded to Cisco CloudWeb Security proxy while all other traffic is bypassed.Note that AnyConnect may still intercept internet traffic from an excluded host exception. To exclude trafficfrom both Web Security and AnyConnect, configure a Static Exception.

Procedure

Step 1 Choose Host Exceptions or Host Inclusions.Step 2 Add the IP addresses (either public or private, host names, or subnets) that you want to bypass or forward,

depending on your choice in Step 1.Step 3 Enter subnets and IP addresses using the following syntax:

ExampleSyntax

10.255.255.255

2001:0000:0234:C1AB:0000:00A0:AABC:003F

Individual IPv4 and IPv6 addresses

10.0.0.0/8

2001:DB8::/48

Classless Inter-Domain Routing (CIDR) notation


Configure Web SecurityExclude or Include Host Exceptions

windowsupdate.microsoft.com

ipv6.google.com

Partial domains are not supported; forexample, example.com is not supported.

Note

Fully qualified domain names

127.0.0.*

*.cisco.com

Wildcards in fully qualified domain names or IPaddresses

WhenWebSecurity is configured to use domain names in the host exception list, a user may be ableto spoof the host HTTP header entry in order to bypass the Web Security Proxies. This risk can bemitigated by using IP addresses instead of hostnames in the exception list.

Note

Exclude Proxy ExceptionsIn the Proxy Exceptions area, enter the IP addresses of authorized internal proxies (for example:172.31.255.255).

You can specify IPv4 and IPv6 addresses in the field, but you cannot specify a port number with them. Youcannot specify IP addresses using CIDR notation.

Specifying IP addresses prevents Cisco Cloud Web Security from intercepting web data bound for theseservers and tunneling the data through them using SSL. Proxy servers can then operate without disruption. Ifyou do not add your proxy servers here, you see Cisco Cloud Web Security traffic as SSL tunnels.

If you want to exempt any browser traffic via proxy server, you must list those hostnames in Host Exceptions,so that they are not forwarded. You cannot only configure static exceptions for traffic flowing through proxiesnot listed in the Proxy Exception list.

For proxies not on this list, Web Security attempts to tunnel through them using SSL. Therefore, if your usersare at a different company site that requires a proxy to get out of the network for Internet access, Cisco CloudWeb Security provides the same level of support as if they were on an open Internet connection.

Exclude Static ExceptionsDetermine which traffic should bypass Cisco Cloud Web Security and add a list of individual IP addressesor IP address ranges in Classless Inter-Domain Routing (CIDR) notation. In the list, include the ingress IPaddresses of your VPN gateways.

If you have multiple hostnames with the same IP address but only one of the hostnames is configured in theStatic Exceptions list, Web Security exempts the traffic.

Private IP addresses described in http://www.ietf.org/rfc/rfc1918.txt are included in the static exception listby default.

If you have a proxy server with an IP address in one of the ranges of the static exception list, move thatexception to the host exception list. For example, 10.0.0.0/8 appears in the static exception list. If you havea proxy at 10.1.2.3, move 10.0.0.0/8 to the host exception list; otherwise, traffic sent to this proxy bypassesCloud Web Security.

Note


Configure Web SecurityExclude Proxy Exceptions

http://www.ietf.org/rfc/rfc1918.txt

You can specify IPv4 and IPv6 addresses or ranges of addresses using CIDR notation. You cannot specifyfully qualified domain names or use wildcards in IP addresses. Correct syntax examples are as follows:

10.10.10.5192.0.2.0/24

Add the IP addresses of your SSL VPN concentrators to the static exclusion list.Note

Configure User Controls and Calculate Fastest Scanning Proxy Response TimeTo allow users to choose which Cisco Cloud Web Security scanning proxy they connect to, perform thefollowing:

Procedure




Step 2 Open the Web Security client profile to edit.Step 3 Click Preferences.Step 4 Select User Controllable. (This is the default setting.) User Controllable determines if the user can change

the Automatic Tower Selection and Order Scanning Proxies by Response Time settings in the AnyConnectinterface.

Step 5 For Web Security to automatically select a scanning proxy, choose Automatic Scanning Proxy Selection.If you do this, Order Scanning Proxies by Response Time is selected automatically.

• If you select Automatic Scanning Proxy Selection, Web Security determines which scanning proxyhas the fastest response time and automatically connects the user to that scanning proxy.

• If you do not select Automatic Scanning Proxy Selection, and you still have Order Scanning Proxiesby Response Time selected, users are presented with a list of scanning proxies to which they can connect,ordered from fastest to slowest response time.

• If you do not select Automatic Scanning Proxy Selection, users are still free to enable this feature fromthe AnyConnect user interface, but once enabled, they cannot switch it off again.

When you enable Automatic Scanning Proxy Selection, transient communications interruptionsand failures can cause the active scanning proxy selection to change automatically. Changingthe scanning proxy can sometimes be undesirable, causing unexpected behavior such as returningsearch results from a scanning proxy in a different country using a different language.

Note

Step 6 If you selected Order Scanning Proxies by Response Time, configure the following settings for calculatingwhich scanning proxy has the fastest response time.


Configure Web SecurityConfigure User Controls and Calculate Fastest Scanning Proxy Response Time

• Enable Test Interval: The time, in hours and minutes, between running each performance test (2 minutesby default). Switch off the test interval to prevent the test from running by clearing the Enable TestInterval check box.

• Test Inactivity Timeout: The time, in minutes, after which Web Security suspends the response timetest because of user inactivity. Web Security resumes the testing as soon as scanning proxies encounterconnection attempts. You should not change this setting unless instructed to do so by customer support.

The Ordering Scanning Proxies by Response Time test runs continuously, based on the TestInterval time, with the following exceptions:

• Secure Trusted Network Detection is enabled and has detected that the machine is on thecorporate LAN.

• The Web Security license key is missing or invalid.

• The user is inactive for a configured amount of time, and as a result, the Test Inactivity Timeoutthreshold has been met.

Note

Step 7 Click to enable Secure Trusted Network Detection, which detects whens an endpoint is on the corporate LAN,either physically or by means of a VPN connection. If enabled, any network traffic originating from thecorporate LAN bypasses Cisco Cloud Web Security scanning proxies.

Step 8 In the https field, enter the URL of each trusted server, then clickAdd. The URLmay include the port address.The profile editor attempts to connect to the trusted server. If this is not possible, but you know the SHA-256hash of the server's certificate, enter it in the Certificate hash box and click Set.

Step 9 Save the Web Security client profile.

What to do next

See the ScanCenter Administrator Guide, Release 5.2, for more information.

Use Secure Trusted Network DetectionThe Secure Trusted Network Detection feature detects when an endpoint is on the corporate LAN, eitherphysically or by means of a VPN connection. If the Secure Trusted Network Detection feature is enabled,any network traffic originating from the corporate LAN bypasses Cisco CloudWeb Security scanning proxies.The security of that traffic gets managed by other methods and devices sitting on the corporate LAN ratherthan Cisco Cloud Web Security.

Secure Trusted Network Detection verifies the client is connected to the corporate network using the SHA-256hash (thumbprint) of an SSLcertificate on a server at a known URL (address, IP, or FQDN). The encryptionalgorithm used by the certificate does not matter but only an SHA-256 hash can be used.

If you choose not to use Secure Trusted Network Detection and you have any proxies on your network, forexample Cisco Cloud Web Security Connector, you must add each proxy to the list of proxy exceptions inthe Exceptions panel in profile editor.

Multiple Servers: If you define more than one server, then if the client fails to connect to the first server aftertwo consecutive attempts, it tries the second server. After trying all the servers in the list, the client waits fiveminutes, and tries to connect to the first server again.


Configure Web SecurityUse Secure Trusted Network Detection

When operating from outside your internal network, Secure Trusted Network Detection makes DNS requestsand attempts to contact the HTTPS server that you provisioned. Cisco strongly recommends the use of aliasingto ensure that the name and internal structure of your organization are not revealed through these requests bya machine being used outside your internal network.

Note

Before you begin

• Exclude Proxy Exceptions

• You must configure Secure Trusted Network Detection for some third-party solutions, such as data lossprevention (DLP) appliances, which require traffic that is unaffected by Web Security.

• Ensure you have a direct connection to the server where the SSL certificate is hosted when editing theprofile.

Procedure




Step 2 Open the Web Security client profile that you wish to edit.Step 3 Click Preferences in the Web Security tree pane.Step 4 Select Enable Trusted Network Detection.Step 5 In the https field, enter the URL of each trusted server, then clickAdd. The URLmay include the port address.

The profile editor attempts to connect to the trusted server. If this is not possible, but you know the SHA-256hash of the server’s certificate, enter it in the Certificate hash box and click Set.

Trusted servers behind proxies are not supported.Note


Not Using Secure Trusted Network DetectionIf you choose not to use Secure Trusted Network Detection and you have any proxies on your network (forexample, Cisco Cloud Web Security Connector), you must add each proxy to the list of proxy exceptions inthe Exceptions panel of the profile editor.


Configure Web SecurityNot Using Secure Trusted Network Detection

Configure Authentication and Sending Group Memberships to the Cisco CloudWeb Security Proxy

Before you begin

Switch Off and Enable Filters Using Windows, on page 19

Procedure




Step 2 Open the Web Security client profile that you wish to edit.Step 3 Click Authentication.Step 4 In the Proxy Authentication License Key field, enter the license key that corresponds to the company key,

group key, or user key that you created in Cisco ScanCenter. To authenticate users based on their Enterprisedomain, enter the company key that you created. To authenticate users based on their Cisco ScanCenter orActive Directory group, enter the group key that you created. By default the tag is empty. If it is left empty,Web Security operates in pass-through mode.

Step 5 Enter a Service Password. The default password for Web Security is websecurity. Change this passwordwhen customizing the profile. The password must contain only alphanumeric characters (a-z, A-Z, 0-9) andthe following special characters, as other characters may be mistaken for control characters by the Windowscommand shell or may have special meaning in XML.

~ @ # $ % * - _ + = { } [ ] : , . ? /

With this password, a user with administrator privileges can stop the Web Security service. Users with orwithout administrator privileges can start the Web Security service without this password.

Step 6 Send the scanning proxy server Enterprise Domain information and Cisco Cloud Web Security or ActiveDirectory group information with every HTTP request. The scanning proxy applies traffic filtering rules basedon what it knows of the user’s domain and group membership.

To send a custom username and custom group information for a user to the scanning server proxy,skip this step and go to Step 7. Also skip to Setp 7 if your enterprise does not use Active Directory.

Note

a) Click Enable Enterprise Domains. In the list, click All Domains. When the All Domains option isselected, and the machine is on a domain, the domain that the user belongs to is matched, and the usernameand group membership information is sent to the Cisco Cloud Web Security scanning proxy. This optionis useful for companies with more than one domain present.

b) Alternatively, click Specify Individual Domains.

Enter each domain name in NetBIOS format and click Add. For example, the NetBIOS format ofexample.cisco.com is cisco. Do not enter domain names using the DNS format: abc.def.com.


Configure Web SecurityConfigure Authentication and Sending Group Memberships to the Cisco Cloud Web Security Proxy

If you specify a domain name in the Enterprise Domain name field, Cisco Cloud Web Security identifiesthe currently logged-in Active Directory user, enumerates that user’s Active Directory groups, and sendsthat information to the scanning proxy with every request.

c) In the Use list, click Group Include List or Group Exclude List to either include or exclude groupinformation in HTTP requests to the Cisco Cloud Web Security scanning proxy. Values can be anysubstring of the string to be matched.

Group Include List. After selecting Group Include List, add the Cisco Cloud Web Security or ActiveDirectory group names to the Group Include list. These group names are sent to the Cisco Cloud WebSecurity scanning proxy server with HTTP requests. If a request comes from a user in the specifiedenterprise domain, the HTTP request is filtered in accordance with the user’s group membership. If theuser has no group membership, HTTP requests are filtered using a default set of filtering rules.

Group Exclude List. To theGroup Exclude List, add the Cisco CloudWeb Security or Active Directorygroup names. These group names are not sent to the Cisco Cloud Web Security scanning proxy serverwith HTTP requests. If the user belongs to one of the groups in the Group Exclude List, that group nameis not sent to the scanning proxy server, and the user’s HTTP requests are filtered either by other groupmemberships or, at the minimum, by a default set of filtering rules defined for users with no ActiveDirectory or Cisco Cloud Web Security group affiliation.

Step 7 Click Custom matching and reporting for machines not joined to domains to send the scanning proxyserver custom name.a) In the list, click Computer Name to use the name of the computer. Alternatively, click Local User to

use the local username. Alternatively, click Custom Name and enter a custom username. It could bedefined by any string. If you do not enter a string, the IP address of the computer is sent to the scanningproxy server instead. This username or IP address is used in any Cisco ScanCenter reports that identifyHTTP traffic from the custom user.

b) In the Authentication Group field, enter a custom group name of up to 256 alphanumeric characters andclick Add.

When HTTP requests are sent to the scanning proxy server, if a custom group name was sent, and there is acorresponding group name on the scanning proxy server, the HTTP traffic is filtered by the rules associatedwith the custom group name. If no corresponding custom group is defined on the scanning proxy server, HTTPrequests are filtered by the default rules.

If you only configured a custom username and no custom group, HTTP requests are filtered by the scanningproxy server default rules.


Advanced Web Security SettingsThe Advanced panel of a Web Security client profile exposes several settings that may help Cisco customersupport engineers troubleshoot problems. You should not change the settings on this panel unless you areinstructed to do so by customer support.

From the Advanced panel in the profile editor, perform the following tasks:

• Configure the KDF Listening Port, on page 14

• Configure How the Port Listens for Incoming Connections, on page 14


Configure Web SecurityAdvanced Web Security Settings

• Configure When Timeout/Retries Occur, on page 15

• DNS Lookup, on page 15

• Debug Settings, on page 15

• Block and Allow Traffic, on page 16

Configure the KDF Listening PortThe Kernel Driver Framework (KDF) intercepts all connections that use one of the traffic listening ports astheir destination port and forwards the traffic to the KDF listening port. The web scanning service analyzesall the traffic forwarded to the KDF listening port.

Before you begin

You should not change this setting unless instructed to do so by customer support.

Procedure




Step 2 Open the Web Security client profile that you wish to edit.Step 3 Click Advanced in the Web Security tree pane.Step 4 Specify the KDF listening port in the KDF Listen Port field.Step 5 Save the Web Security client profile.

Configure How the Port Listens for Incoming ConnectionsThe service communication port is the port on which the web scanning service listens for incoming connectionsfrom the AnyConnect GUI component, and some other utility components.

Before you begin


Procedure




Configure Web SecurityConfigure the KDF Listening Port


Step 2 Select the Web Security client profile that you wish to edit and click Edit. Click Advanced in the WebSecurity tree pane.

Step 3 Edit the Service Communication Port field.Step 4 Save the Web Security client profile.

If you change the port from the default value of 5300, you must restart the Web Security serviceand the AnyConnect GUI component.

Note

Configure When Timeout/Retries OccurThe connection timeout setting enables you to set the timeout before Web Security tries to access the Internetwithout using the scanning proxies. If left blank, it uses the default value of 4 seconds. This setting allowsusers to get access to paid network services faster without waiting for the timeout to happen before retrying.

Procedure




Step 2 Open the Web Security client profile that you wish to edit.Step 3 Click Advanced in the Web Security tree pane.Step 4 Change the Connection Timeout field.Step 5 Save the Web Security client profile.

DNS LookupThe Advanced panel of the profile editor contains several fields for managing Domain Name Server lookups.These settings have been configured with optimal values for DNS lookups.

Guidelines


Debug SettingsThe Debug Level is a configurable field.


Configure Web SecurityConfigure When Timeout/Retries Occur

Guidelines


Block and Allow TrafficIn the Connection Failure Policy list, select Fail Close to block traffic if a connection to the Cisco CloudWebSecurity proxy server cannot be established. Alternatively, select Fail Open to allow traffic.

In the When a captive portal is detected list, select Fail Open to allow traffic if a connection to the CiscoCloud Web Security proxy server cannot be established but a captive portal, such as a Wi-Fi hot spot, isdetected. Alternatively, select Fail Close to block traffic.

If host, proxy, or static exceptions are configured to include the captive portal address, then Fail Close willnot block traffic.

Note

Other Customizable Web Security Options

Export Options

Export the Plain Text Web Security Client Profile File

Export the obfuscated Web Security client profile from the ASA and distribute it to endpoint devices.

Procedure

Step 1 OpenASDMand chooseConfiguration > Remote Access VPN > Network (Client) Access > AnyConnectClient Profile.

Step 2 Select the Web Security client profile that you wish to edit and click Export.Step 3 Browse to a local folder to save the file. Editing the filename in the Local Path field saves the Web Security

client profile with that new filename.Step 4 Click Export.

ASDM exports the plain text filename.wsp version of the Web Security client profile.

Export the Plain Text Web Security Client Profile File for a DART Bundle

If you need to send a Diagnostic AnyConnect Reporting Tool (DART) bundle to Cisco customer service, sendthe plain text version of the Web Security client profile file (filename.wsp or filename.xml) alongwith the DART bundle. Cisco customer service cannot read the obfuscated version.

The stand-alone version of the profile editor creates two versions of the Web Security profile file: one file isobfuscated with the file name filename.wso, and the other is in plain text with the file namefilename.xml.

Before sending the DART bundle to Cisco customer service, add the plain text version of your Web Securityclient profile to the DART bundle.


Configure Web SecurityBlock and Allow Traffic

Edit and Import Plain Text Web Security Client Profile Files from ASDM

When you have exported the plain text Web Security client profile file, edit it on your local computer usingany plain text or XML editor that allow edits not supported by the AnyConnect Web Security profile editor.You should not change the plain text version of the Web Security client profile unless instructed to do so bycustomer support. Use this procedure to import the editor.

Before you begin

Importing the file overwrites the contents of the Web Security client profile that you selected.

Procedure

Step 1 OpenASDMand chooseConfiguration > Remote Access VPN > Network (Client) Access > AnyConnectClient Profile.

Step 2 Select the Web Security client profile that you wish to edit and click Export.Step 3 After making the changes to filename.wsp, return to the AnyConnect Client Profile page and select the

profile name of the file that you edited.Step 4 Click Import.Step 5 Browse to the edited version of the Web Security client profile and click Import.

Export the Obfuscated Web Security Client Profile File

Procedure

Step 1 Open ASDM and choose Tools > File Management.Step 2 In the File Management screen choose File Transfer > Between Local PC and Flash and use the File

Transfer dialog to transfer the obfuscated filename.wso client profile file to your local computer.

Configure Split Tunnel Exclusions for Web SecurityWhen a user has established a VPN session, all network traffic is sent through the VPN tunnel. However,when AnyConnect users are using Web Security, the HTTP traffic originating at the endpoint needs to beexcluded from the tunnel and sent directly to the Cloud Web Security scanning proxy.

To set up the split tunnel exclusions for traffic meant for the Cloud Web Security scanning proxy, use the Setup split exclusion for Web Security button in a group policy.

Before you begin

• Configure Web Security for use with the AnyConnect client.

• Create a group policy and assign it a connection profile for AnyConnect clients configured with WebSecurity.


Configure Web SecurityEdit and Import Plain Text Web Security Client Profile Files from ASDM

If you use the Secure Trusted Network Detection feature and want to ensure that Web Security and VPN areactive at the same time, configure your network so that the HTTPS server is not reachable over the VPNtunnel. In this way, the Web Security functionality goes into bypass mode, only when the user is on thecorporate LAN.

Procedure

Step 1 In ASDM go to Configuration > Remote Access VPN > Network (Client) Access > Group Policies.Step 2 Select a group policy and click Edit or Add a new group policy.Step 3 Choose Advanced > Split Tunneling.

Step 4 Click Set up split exclusion for Web Security.

Step 5 Enter a new, or select an existing, access list used for Web Security split exclusion. ASDM sets up the accesslist for use in the network list.

Step 6 Click Create Access List for a new list or Update Access List for an existing list.Step 7 Click OK.

What to do next

When additional scanning proxies are added, update the unified access list that you created in this procedurewith new information.

Use Cisco Cloud Web Security Hosted ProfilesStarting in AnyConnect release 3.0.4, the Cisco ScanCenter Hosted Configuration for theWeb Security HostedClient Profile gives you the ability to provide new configurations to Web Security clients. Devices with WebSecurity can download a new Web Security Hosted Client Profile from the cloud (hosted configuration filesreside on the Cisco ScanCenter server).

The AnyConnect client must also download its config files from the resource service through a hardcodedhostname in the AnyConnect binary. The request is made to hostedconfig.scansafe.net/ (IP: 46.155.41.2).the exchange is encrypted over TCP port 443.

Hosted configuration allows access to the Ingress IP's of the CWS towers/proxies for AnyConnect WebSecurity via TCP port 443 (and also port 8080 in case of deploying in plain mode). The full list of towers/proxiesfor AnyConnect Web Security is available in the Prepare section of Cisco ScanCenter Administration Guide.The client must be able to access 80.254.145.118 on TCP port 80, where it fetches the list of proxy towersand keeps itself up to date. The Web Security module must be set to make connections to Verisign over TCPport 80. On this range, clients check the certificate of revocation at TJ.symcb.com, T1.symcb.com, andT2.symcb.com .

Use the Web Security profile editor to create the client profile files and then upload the clear text XML fileto a Cisco ScanCenter server. This XML file must contain a valid license key, which has the same company,group, or user license key associated with the hosted configuration that was defined and hosted in Cisco CloudWeb Security. The client retrieves the new configuration file, at most, 8 hours after it is applied to the hostedconfiguration server.

The Hosted Configuration feature uses the license key when retrieving a new client profile file from the HostedConfiguration (Cisco ScanCenter) server. Once the new client profile file is on the server, devices with WebSecurity automatically poll the server and download the new client profile file, provided that the license in


Configure Web SecurityUse Cisco Cloud Web Security Hosted Profiles

the existing Web Security client profile is the same as a license associated with a client profile on the Hostedserver. When a new client profile has been downloaded, Web Security will not download the same file againuntil you make a new client profile file available.

Refer to the Cisco ScanCenter Administration Guide, Release 5.2, for more information about license keys.

Before you begin

• Install theWeb Security client device with a valid client profile that contains a Cisco CloudWeb Securitylicense key.

• The restart Web Security agent service option is available only to users who have the necessary rightsto restart the service.

• Client machines running the ACWS agent must have the Thawte Primary Root CA and Thawte SSL CA- G2 in the Trusted Root Certification Authority Store.

Procedure

Step 1 Using the Web Security profile editor, create a new client profile for the Web Security device. This clientprofile must contain the Cisco Cloud Web Security license key.

Step 2 Save the client profile file as a clear text XML file. Upload this file to the Cisco ScanCenter server. When thefile is uploaded, make the new client profile available to Web Security clients.

Step 3 Upload the new client profile and apply it via the Cisco ScanCenter for the company, provided that the HostedConfiguration feature was enabled for the company. A hosted client profile is associated with a license. Ifdifferent licenses are in use (for example, different group license keys), each license can have its own clientprofile associated with it. You can then push down a different client profile to different users, depending onwhich licenses they are configured for. You store various configurations per license and set a default clientprofile for clients to download. They can then switch to one of the other revisions of configurations stored inthe Hosted Configuration area of Cisco ScanCenter by selecting that client profile as the default. A license isassociated with only one client profile; therefore, you can have only one default when more than one revisionis associated with the license.

Switch Off and Enable the Cisco AnyConnect Web Security AgentYou can switch off and enable the Cisco AnyConnect Web Security Agent’s ability to intercept web trafficby executing the following steps.

Switch Off and Enable Filters Using Windows

Procedure

Step 1 Open a command prompt window.Step 2 Go to the %PROGRAMFILES%\Cisco\Cisco AnyConnect Secure Mobility Client folder.Step 3 Switch filtering on or off:

• To enable filtering, enter acwebsecagent.exe -enablesvc


Configure Web SecuritySwitch Off and Enable the Cisco AnyConnect Web Security Agent

• To disable filtering, enter acwebsecagent.exe -disablesvc -servicepassword

Switch Off and Enable Filters Using Mac OS XThe service password is configured in the Authentication panel of the Web Security profile editor.

Procedure

Step 1 Launch the Terminal application.Step 2 Go to the /opt/cisco/anyconnect/bin folder.Step 3 Enable or switch off filtering:

• To enable filtering, enter ./acwebsecagent -enablesvc.

• To disable filtering, enter ./acwebsecagent -disablesvc -servicepassword.

Web Security LoggingWindows

All Web Security messages are recorded in the Windows Event Viewer in the Event Viewer(Local)\Cisco AnyConect Web Security Module folder. The events Web Security records inthe event viewer are analyzed by Cisco Technical Assistance Center engineers.

Mac OS X

View Web Security messages from the syslog or console.


Configure Web SecuritySwitch Off and Enable Filters Using Mac OS X

Documents

Configure Web Security - Cisco · Configuring Windows Internet Options toConfigure Public Proxy Publicproxiesareusuallyusedtoanonymizewebtraffic.Publicproxyserversarereferredtoasauthenticating